Resubmissions
09-11-2024 01:48
241109-b8bfnsxkgr 1009-11-2024 01:46
241109-b7asratmfs 1008-11-2024 23:02
241108-21j1yssaln 10Analysis
-
max time kernel
112s -
max time network
113s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
08-11-2024 23:02
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Da2dalus/The-MALWARE-Repo
Resource
win10ltsc2021-20241023-en
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo
Malware Config
Extracted
C:\Users\Admin\Downloads\!Please Read Me!.txt
wannacry
15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Wannacry family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Downloads MZ/PE file
-
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDAA0D.tmp WannaCry.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDAA24.tmp WannaCry.exe -
Executes dropped EXE 8 IoCs
pid Process 4492 WannaCry.exe 1780 WannaCry.exe 1560 WannaCry.exe 4564 !WannaDecryptor!.exe 5980 WannaCry.exe 3020 !WannaDecryptor!.exe 952 !WannaDecryptor!.exe 4828 !WannaDecryptor!.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r" WannaCry.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 81 raw.githubusercontent.com 82 raw.githubusercontent.com 83 raw.githubusercontent.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp" !WannaDecryptor!.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\503a9f77-6124-488b-8371-3e5464f96afe.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241108230319.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 17 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WannaCry.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WannaCry.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WannaCry.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WannaCry.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 4 IoCs
pid Process 2560 taskkill.exe 3680 taskkill.exe 4056 taskkill.exe 2328 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3652 msedge.exe 3652 msedge.exe 1812 msedge.exe 1812 msedge.exe 744 identity_helper.exe 744 identity_helper.exe 1508 msedge.exe 1508 msedge.exe 5200 WMIC.exe 5200 WMIC.exe 5200 WMIC.exe 5200 WMIC.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
description pid Process Token: SeDebugPrivilege 2328 taskkill.exe Token: SeDebugPrivilege 4056 taskkill.exe Token: SeDebugPrivilege 2560 taskkill.exe Token: SeDebugPrivilege 3680 taskkill.exe Token: SeIncreaseQuotaPrivilege 5200 WMIC.exe Token: SeSecurityPrivilege 5200 WMIC.exe Token: SeTakeOwnershipPrivilege 5200 WMIC.exe Token: SeLoadDriverPrivilege 5200 WMIC.exe Token: SeSystemProfilePrivilege 5200 WMIC.exe Token: SeSystemtimePrivilege 5200 WMIC.exe Token: SeProfSingleProcessPrivilege 5200 WMIC.exe Token: SeIncBasePriorityPrivilege 5200 WMIC.exe Token: SeCreatePagefilePrivilege 5200 WMIC.exe Token: SeBackupPrivilege 5200 WMIC.exe Token: SeRestorePrivilege 5200 WMIC.exe Token: SeShutdownPrivilege 5200 WMIC.exe Token: SeDebugPrivilege 5200 WMIC.exe Token: SeSystemEnvironmentPrivilege 5200 WMIC.exe Token: SeRemoteShutdownPrivilege 5200 WMIC.exe Token: SeUndockPrivilege 5200 WMIC.exe Token: SeManageVolumePrivilege 5200 WMIC.exe Token: 33 5200 WMIC.exe Token: 34 5200 WMIC.exe Token: 35 5200 WMIC.exe Token: 36 5200 WMIC.exe Token: SeIncreaseQuotaPrivilege 5200 WMIC.exe Token: SeSecurityPrivilege 5200 WMIC.exe Token: SeTakeOwnershipPrivilege 5200 WMIC.exe Token: SeLoadDriverPrivilege 5200 WMIC.exe Token: SeSystemProfilePrivilege 5200 WMIC.exe Token: SeSystemtimePrivilege 5200 WMIC.exe Token: SeProfSingleProcessPrivilege 5200 WMIC.exe Token: SeIncBasePriorityPrivilege 5200 WMIC.exe Token: SeCreatePagefilePrivilege 5200 WMIC.exe Token: SeBackupPrivilege 5200 WMIC.exe Token: SeRestorePrivilege 5200 WMIC.exe Token: SeShutdownPrivilege 5200 WMIC.exe Token: SeDebugPrivilege 5200 WMIC.exe Token: SeSystemEnvironmentPrivilege 5200 WMIC.exe Token: SeRemoteShutdownPrivilege 5200 WMIC.exe Token: SeUndockPrivilege 5200 WMIC.exe Token: SeManageVolumePrivilege 5200 WMIC.exe Token: 33 5200 WMIC.exe Token: 34 5200 WMIC.exe Token: 35 5200 WMIC.exe Token: 36 5200 WMIC.exe Token: SeBackupPrivilege 5312 vssvc.exe Token: SeRestorePrivilege 5312 vssvc.exe Token: SeAuditPrivilege 5312 vssvc.exe -
Suspicious use of FindShellTrayWindow 54 IoCs
pid Process 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 952 !WannaDecryptor!.exe -
Suspicious use of SendNotifyMessage 40 IoCs
pid Process 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 4564 !WannaDecryptor!.exe 4564 !WannaDecryptor!.exe 3020 !WannaDecryptor!.exe 3020 !WannaDecryptor!.exe 952 !WannaDecryptor!.exe 4828 !WannaDecryptor!.exe 952 !WannaDecryptor!.exe 4828 !WannaDecryptor!.exe 1812 msedge.exe 1812 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1812 wrote to memory of 4588 1812 msedge.exe 81 PID 1812 wrote to memory of 4588 1812 msedge.exe 81 PID 1812 wrote to memory of 4408 1812 msedge.exe 82 PID 1812 wrote to memory of 4408 1812 msedge.exe 82 PID 1812 wrote to memory of 4408 1812 msedge.exe 82 PID 1812 wrote to memory of 4408 1812 msedge.exe 82 PID 1812 wrote to memory of 4408 1812 msedge.exe 82 PID 1812 wrote to memory of 4408 1812 msedge.exe 82 PID 1812 wrote to memory of 4408 1812 msedge.exe 82 PID 1812 wrote to memory of 4408 1812 msedge.exe 82 PID 1812 wrote to memory of 4408 1812 msedge.exe 82 PID 1812 wrote to memory of 4408 1812 msedge.exe 82 PID 1812 wrote to memory of 4408 1812 msedge.exe 82 PID 1812 wrote to memory of 4408 1812 msedge.exe 82 PID 1812 wrote to memory of 4408 1812 msedge.exe 82 PID 1812 wrote to memory of 4408 1812 msedge.exe 82 PID 1812 wrote to memory of 4408 1812 msedge.exe 82 PID 1812 wrote to memory of 4408 1812 msedge.exe 82 PID 1812 wrote to memory of 4408 1812 msedge.exe 82 PID 1812 wrote to memory of 4408 1812 msedge.exe 82 PID 1812 wrote to memory of 4408 1812 msedge.exe 82 PID 1812 wrote to memory of 4408 1812 msedge.exe 82 PID 1812 wrote to memory of 4408 1812 msedge.exe 82 PID 1812 wrote to memory of 4408 1812 msedge.exe 82 PID 1812 wrote to memory of 4408 1812 msedge.exe 82 PID 1812 wrote to memory of 4408 1812 msedge.exe 82 PID 1812 wrote to memory of 4408 1812 msedge.exe 82 PID 1812 wrote to memory of 4408 1812 msedge.exe 82 PID 1812 wrote to memory of 4408 1812 msedge.exe 82 PID 1812 wrote to memory of 4408 1812 msedge.exe 82 PID 1812 wrote to memory of 4408 1812 msedge.exe 82 PID 1812 wrote to memory of 4408 1812 msedge.exe 82 PID 1812 wrote to memory of 4408 1812 msedge.exe 82 PID 1812 wrote to memory of 4408 1812 msedge.exe 82 PID 1812 wrote to memory of 4408 1812 msedge.exe 82 PID 1812 wrote to memory of 4408 1812 msedge.exe 82 PID 1812 wrote to memory of 4408 1812 msedge.exe 82 PID 1812 wrote to memory of 4408 1812 msedge.exe 82 PID 1812 wrote to memory of 4408 1812 msedge.exe 82 PID 1812 wrote to memory of 4408 1812 msedge.exe 82 PID 1812 wrote to memory of 4408 1812 msedge.exe 82 PID 1812 wrote to memory of 4408 1812 msedge.exe 82 PID 1812 wrote to memory of 3652 1812 msedge.exe 83 PID 1812 wrote to memory of 3652 1812 msedge.exe 83 PID 1812 wrote to memory of 4464 1812 msedge.exe 84 PID 1812 wrote to memory of 4464 1812 msedge.exe 84 PID 1812 wrote to memory of 4464 1812 msedge.exe 84 PID 1812 wrote to memory of 4464 1812 msedge.exe 84 PID 1812 wrote to memory of 4464 1812 msedge.exe 84 PID 1812 wrote to memory of 4464 1812 msedge.exe 84 PID 1812 wrote to memory of 4464 1812 msedge.exe 84 PID 1812 wrote to memory of 4464 1812 msedge.exe 84 PID 1812 wrote to memory of 4464 1812 msedge.exe 84 PID 1812 wrote to memory of 4464 1812 msedge.exe 84 PID 1812 wrote to memory of 4464 1812 msedge.exe 84 PID 1812 wrote to memory of 4464 1812 msedge.exe 84 PID 1812 wrote to memory of 4464 1812 msedge.exe 84 PID 1812 wrote to memory of 4464 1812 msedge.exe 84 PID 1812 wrote to memory of 4464 1812 msedge.exe 84 PID 1812 wrote to memory of 4464 1812 msedge.exe 84 PID 1812 wrote to memory of 4464 1812 msedge.exe 84 PID 1812 wrote to memory of 4464 1812 msedge.exe 84 PID 1812 wrote to memory of 4464 1812 msedge.exe 84 PID 1812 wrote to memory of 4464 1812 msedge.exe 84 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffce89046f8,0x7ffce8904708,0x7ffce89047182⤵PID:4588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,8903619551134647535,18002187388140239916,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:22⤵PID:4408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,8903619551134647535,18002187388140239916,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,8903619551134647535,18002187388140239916,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:82⤵PID:4464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8903619551134647535,18002187388140239916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:12⤵PID:4876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8903619551134647535,18002187388140239916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:12⤵PID:4692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,8903619551134647535,18002187388140239916,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5764 /prefetch:82⤵PID:4780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
PID:4732 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6b9255460,0x7ff6b9255470,0x7ff6b92554803⤵PID:716
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,8903619551134647535,18002187388140239916,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5764 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8903619551134647535,18002187388140239916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:12⤵PID:4272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8903619551134647535,18002187388140239916,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:12⤵PID:2804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8903619551134647535,18002187388140239916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:12⤵PID:3400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8903619551134647535,18002187388140239916,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:12⤵PID:3688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8903619551134647535,18002187388140239916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:12⤵PID:4872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,8903619551134647535,18002187388140239916,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5924 /prefetch:82⤵PID:988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2056,8903619551134647535,18002187388140239916,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6860 /prefetch:82⤵PID:4540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,8903619551134647535,18002187388140239916,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6856 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1508
-
-
C:\Users\Admin\Downloads\WannaCry.exe"C:\Users\Admin\Downloads\WannaCry.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4492 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 55311731107060.bat3⤵
- System Location Discovery: System Language Discovery
PID:1356 -
C:\Windows\SysWOW64\cscript.execscript //nologo c.vbs4⤵
- System Location Discovery: System Language Discovery
PID:4056
-
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe f3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4564
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im MSExchange*3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2328
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Microsoft.Exchange.*3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4056
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlserver.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3680
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlwriter.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2560
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe c3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3020
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /b !WannaDecryptor!.exe v3⤵
- System Location Discovery: System Language Discovery
PID:920 -
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe v4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4828 -
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet5⤵
- System Location Discovery: System Language Discovery
PID:1580 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete6⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5200
-
-
-
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe3⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:952
-
-
-
C:\Users\Admin\Downloads\WannaCry.exe"C:\Users\Admin\Downloads\WannaCry.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1780
-
-
C:\Users\Admin\Downloads\WannaCry.exe"C:\Users\Admin\Downloads\WannaCry.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1560
-
-
C:\Users\Admin\Downloads\WannaCry.exe"C:\Users\Admin\Downloads\WannaCry.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5980
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2512
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:544
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5312
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD52905b2a304443857a2afa4fc0b12fa24
SHA16266f131d70f5555e996420f20fa99c425074ec3
SHA2565298bdb27d48c2c2b5e67bdd435445ef5b06d9b36c11394705b413ff3d0f51f3
SHA512df85de0c817350d8ca3346def1db8653aaee51705822b4c4484c97e7d31282a2936fa516d68c298dcbbb293b044aa7101b3de0c7852c26e98ac6c91415162b53
-
Filesize
152B
MD5f5391bd7b113cd90892553d8e903382f
SHA12a164e328c5ce2fc41f3225c65ec7e88c8be68a5
SHA256fd9710650fc6774ce452b01fb37799cd64d3cdc282ac693e918e38322349fe79
SHA51241957bea3e09c2f69487592df334edc6e3e6de3ab71beb64d9b6d9ce015e02a801b4215344d5d99765abe8ab2396394ac4664fced9f871204453a79463cc7825
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize48B
MD57f715a5fe530d8fbca20d1d6d22b22d4
SHA1b1684e0eb0a60f975de8c5267785fda77893f246
SHA256a2656d55a3cc70a0002df149ea9e8f7d97fb482848cc403f654cd26478574906
SHA512bd3f440d5ebd0e1138fa4b7f5155c131523052cc92829be2913fe1a989156e87ff6cc7cb36db523736133b9a3f94617a05d7324948c42317f89d0ff1cc4653c9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5a17d2b5280240b311012394ce305a54b
SHA13a157aeb4d8ed75768ee67b684e259fa3c6d1def
SHA2568742553752a0b51f0f773f0af5804364855a600bad7dfe2e4f17bef3a3a6abd7
SHA5125be507cbffacbcc226989038025cd6efe64f83d08bded9df157af6ebb4ed0d32f597edfbf699fb52b4996bcfcff67e88d3a64b6784f0234d792e85dc8f4b79a3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5fd57b1caa1cd886db0bcca132b26d784
SHA18a4bc45cf83b7eaf2e524436d09d4e4ac54d5519
SHA2560a29c877c039716a5e35b45a9de5d23b65e98a5f3921288dd8c5c1805aedbf8e
SHA5128e34796fc08ee823437b896790fcc7f14bf9e1c6575003cb454703f6bf1896a5bfd14511b1edcca3dc6ccdd22ef8568ae9baae0867d8583d9bd5e587a47e4fe6
-
Filesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
579B
MD52ebbd61422b78463e73114c90d111185
SHA196a2a4824b034c487ccfcc08f3d7defa75601565
SHA256164f96175f640e1c88954414f0d6bd4b866e8bc4004221585211df95aaeacaab
SHA512a707e87fa44ddc0f804778e849698b4b9b1a110342a9eb8abcc1a9178019d6424077d6293940adf1b3db80872e42fb70347fb927e7a6cadb2490381fb2f1b926
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe589efa.TMP
Filesize59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
Filesize
5KB
MD59bd6f2c8877bac8f7d3cec35585fc940
SHA1912fd992b171bfd934bd851c8c54c466c2d7b724
SHA2569e11a4ddad871d6ce79c81bf00fa056e56431cc8125c91ed0fee6c0714608636
SHA512539c95e4fad5a824755e5b7d7baac047f66fc2c79df3a843d601407b707aa41d5835f543c1831afc4dbbf073db26313ac2e519a85f000d06fa58163a2a7a1845
-
Filesize
6KB
MD593c4f2b61adb51fab40e7485f43006ab
SHA1e79ee9c6d500f4dd2f3daf7a79fef3ba9f35dc29
SHA256c495a333182c5c4b3d1f2a881faf62b5b61f617c2c1d3d632c620694b9f6a043
SHA512e003a977176600b6eaecbb9399e0bd2a2cfcd4246f092dc72d6893903f9eb293a6c94d6e3e93b75a57bdc9a9cb0cc0fd782e43d806de3f0d51652f8bf143adf4
-
Filesize
5KB
MD5788345753120edbaa966d902e5b7e3a1
SHA15bc773886598517b3b3f14057d1fa44840b05b98
SHA25688118cccb839f42d8e1bccf856660fd580f39d34cf8c1a4dce5be031a7509cb4
SHA512ad062fb4a10d1a1b31b3ca4571fe6ee93c40c09a90cd75eb3df6df979f995167a5b26687a040e0c6181d6123c4ce6f8b596a924694fa1b4096c422de59660fe0
-
Filesize
6KB
MD5bcab1883cb97a50dadba0a32f6425544
SHA16a6b5851b53608762d208f57ad337854a1f63aae
SHA25699f511479000b9245891ac3146c59767c3bb9a95f2a7739356c89a1fe0e4a15e
SHA512b74171b3c53885d0884339360a41f21fe834404196d58d887b15b590264df88bc6b9dd92fbf6486ab59d210de787315c62fa976bee024fcfc57b8080593ef556
-
Filesize
5KB
MD5b785446424f1f0e03f67e352bf3ca82e
SHA1a6ef75498f5726ae96b65c28929492f533cd7987
SHA2567d496c646fa3af00e9d6bba71660dcc21979b3f7d4139e21dd1a46a2c641d5a1
SHA5125359ce0acffc563547271cf7fa0ea1a836f75b3ae9d865b3aa4066397ecb8f6fa0bc4b3c72862d1e02f6ab4aadbc36527e9eaf3e6fc24f1f42451b57bc7b349d
-
Filesize
5KB
MD547a0414a12152f7659c40d47ef72c0c3
SHA1a8a670dacb695003dd64f0e0285d26b7f644d3c8
SHA2566766420537effd246c2764bdee0e60c6d5a398c7290979dc3d06a1b704f52386
SHA5124cbb22970611be3f95a615890849ac81ed550e3fcc1a16879d3da18331afae89adbacb4cd49d5458dded28283800958e04f053f2db9bb2acfe63b84b29a134ff
-
Filesize
6KB
MD5955a6d3cc9ff6eb29a022c3278ea31a2
SHA1cfd9e0490a91e5e5fef525688ceb74f95ad539e2
SHA256fa1535aa851c31050e84540c6598da16c58c05f8fb8545d4da005cd7c1352229
SHA5120b499662744960f0627eab748747e80643bf1174fbce28df3ffb98805feaf76055b890c738ec7527c5eef2a384c4c8cee2b8c70938a6ca75bf547b574a5e1a08
-
Filesize
24KB
MD57ad9709100fb43b77314ee7765b27828
SHA15cd0c406c08c9c1073b0c08169ccaffbd4ef6b98
SHA25604b61824ffce6fdbae4e6a527ae58b85813226ee28fe4d631feb76b5f936a1a9
SHA512fc55ee34b1107e298f2cfcb20dce42b5dbc98a7b68e72ed80a6ea594f66dff6f9e9cb70ad5ccbf5ad2171275f375abac1defd8dad4118afa280cd9c1d9f6a538
-
Filesize
24KB
MD5e122fc93c0ad25d45d09ba51a3e86421
SHA1bb52a7be91075de9d85f4a4d7baeecc3167c871b
SHA256a277c1c6fafd7a44b47d94e4bc3c0337a64a34d252e58722855aab09e6f52bee
SHA51212787aebefd6a5e4584ec8747a78538f948a16b214bdf81302036ae89e2c4563027847236a4770c4f780a9ca0ed03f29b1577bfb6f11feffad85b7a625324bf5
-
Filesize
1KB
MD57e166cffa7bae9dfb43d0b33755d1af3
SHA16b769b87d7bd6cee6c80b0f06b4a1a884c5f277f
SHA25612d1b4d4d43ef3bab43478e3daf651f7321565bd935e9d24bc8104e059cc4bba
SHA512be69d80eb81436c3425ffffb0fe70945f1e8601ad33223ef839370466d98da60676cfcc63b919319d06a97dbab323d2124c46ece2c48c7983eedb3684d0b75ea
-
Filesize
874B
MD5f1e3783be5e66308e17e958a7d68e915
SHA16e5c92091bd32a3f07690685387c7f5b02a1d49b
SHA25680d4138b383eb8ec3eb419389f7da3bebd07a9e474f01ce3e2c9f6c821972883
SHA51201bdcb5f42fd4014e3f025666749a3f60c014b9204306341b8f649d6e0e65b2c391b35a165fb8958e33b028b49b55f7f3829bf6e24e0d2b67cf5c3b0d4925e55
-
Filesize
1KB
MD506f1237fe24181572535a22b5129b215
SHA19401268ffbaba87e4c983e30188b165c62ddab75
SHA256f93c713f1f937b7680cbc2eb59a26403f046da288fced07f06b829c082b9c018
SHA512a1eee622c5ab338e294e1edba7c6fe6e1652731ef0a197b5c52edad9a34301d5570c59ce119d3f5a6e335305d4018aedfd9c004fce02df3e15254a5cb82b5ef6
-
Filesize
874B
MD5a9ec912d733c7193f46ba48c3b5b1218
SHA186091e72b7de5966eaa89dde2d4c68f0a95ecd2b
SHA25623029ceb56da7b7def2b659705129bd61fda07fbb91105cd8f8d9d1331674f6c
SHA51293ce962f092796d2ab7c83a4c7dc92a725712644e092d881712b2cd611fc63e15837c637253b05a2a8cd724606d91786158ac015d4aef8a2188350c1ed475d0c
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16KB
MD59e02552124890dc7e040ce55841d75a4
SHA1f4179e9e3c00378fa4ad61c94527602c70aa0ad9
SHA2567b6e4ce73ddd8b5e7a7c4a94374ac2815d0048a5296879d7659a92ee0b425c77
SHA5123e10237b1bff73f3bb031f108b8de18f1b3c3396d63dfee8eb2401ce650392b9417143a9ef5234831d8386fc12e232b583dd45eada3f2828b3a0a818123dd5cd
-
Filesize
4KB
MD5d9f84c8cf73422f2ca07d7e7462b9534
SHA1cff6e092bf5bf1f3f47b7074847e204042a881ae
SHA2565bf7b14dde109f722782628bbcf3011a23cd2416e7621a62b49ee0333cdec6c2
SHA5121ea893c62d64304c35b9086e2c7e760716ea5ce220bafb76632670fcd2f97eca5c6693ff98004a861b190060c47c9d97ac92b41e3b1da1a4e8f89d9638548c38
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
11KB
MD5a421587e31a9728f80feaeddbd599e0b
SHA1003548b0ca3c16b94148156e805b30b742577927
SHA256590b83e06255dbeac0da10ad93e3a2bc509ad6a2526c080007a907c414f47015
SHA512819a7cce137b16fc82ed2a41f80d3a904d67877ed777f7188265798c52af033022fbda2276d726dadf103bcd74a70348453ae871c6a52938bc6a617d54b4df3e
-
Filesize
8KB
MD5398e43655800dda53eeac1511d605271
SHA14d466f0eb6f29a4dfad003e1e090c081b6e20644
SHA256550401254fa4218c460976f6aedb858f66119247a80b49846f027b2c929733f7
SHA512459333aab7cf9bb500da4e1ce69fa05dfbb17244ce56dc64ec5916fd2e5ae12a785350569938a41d58dd90cec7bcf3a24cb91a16a81722f5d35fac696f984f51
-
Filesize
11KB
MD5531e2c9e7ca686ef439795e17fab1fe6
SHA103d67a76471d7fb9dc1ca16d24717c3aee71a5da
SHA25667388c534e5552556bd165d20bea2cee19cb85672467fb64a37fcfdfa51af2b0
SHA5124945778f2a091e650c677df799749505aee9b0d7579eaa55dda47f19296863cc77e08ff3fe2f9256cbd42bb3706b2342cfaf5e9794a9253e4742d82ebcfc8c41
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD547d80556a68205dc796ecb40b628947d
SHA17ba8760a8e8b374dcbe45dd8aaa7c7c57506381e
SHA25644f32a2fff0c65468636a00a558e11ffbfb9457806ca8a41bdd3914b085894bc
SHA512f5696b8f4c88db6b04fb8a00c7fd48657702d7f0ef7de08424d42b8b4770fe7dbdc4de609bfc76d3b8bf3a2a5d4df5987834916816b4199f63dac086585ae16b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD5914052e72febad30945cd86d96752ed9
SHA10e53d2b4c13421f946b2cd3c91ae36c2a146121f
SHA2563aa4ff7aa06daa1d54ee179c7440e21af51220d537b7a3e5f11ead18ed2d7e1b
SHA512285894766ac08223e836214724b3fc8b605c83e05050ec2d0b7854c6d5cc41544a35c6fd5abab324e1d46bc45f38605894a7181c15c129dd5c380eceed08bd57
-
Filesize
797B
MD5afa18cf4aa2660392111763fb93a8c3d
SHA1c219a3654a5f41ce535a09f2a188a464c3f5baf5
SHA256227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0
SHA5124161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b
-
Filesize
590B
MD5d69c75842feaf1d8f4e4ac8f5ce8e684
SHA1b8baa5d3b51f041cbc9e0971bab9afeda3e3cb8e
SHA256443023780623143c406917d9166dbfaaca42668594c811679ae7bce72d2ec3b4
SHA512b253c8a4e90d94d300cd84892a15d5773d272feefb4cb69b4819d93f6c2baf6d754b3cec9d9cd702b91241772ad8acd5bce2bba30623160fb5c5a3ffeed7197d
-
Filesize
136B
MD5bfbfb4d71530024288d442856327b888
SHA1996365373ba46a16e3e7f10f91abc4e606cc0ac5
SHA256f1575375209ade3c928b2e964e26c5f74e7f7dce737f04f1738ad19ffd7eb3a8
SHA51282ceb7b63c9032100bb1fff715ca61a7e84db2bc762181bfb6e4e5aec779c177477ffe2c357c76a6957f957aeaf990e76339472e0d7606755323bc11334f9963
-
Filesize
136B
MD591a22e1f8f7397f7bc43f9d66949daaa
SHA18ccefac7525a9ebf5e4c85996445148581a88cf9
SHA2569fbbd348b0b67445f34ebacb85964c921f9ebb512ffabfb8dd6f18437cf4cf86
SHA512bd643736ece3d69b089445c0f5c027acc17db02e6a4550a5674c9af0124e38767d2798afd3427f678be2e31ce7655c3149c90ab2f59c9b8da366a06afc43a6cf
-
Filesize
136B
MD5e54b9050e4c7c96b7f0b7b7010a122b4
SHA190cf6cfb9406860efa56f4b632e9ca0cc7d9b185
SHA25664c1c61b6333bb5e9c1d1c1c5bbaaac6c7b55f1af5c724cad82e02d1369c731c
SHA5120cbdbec93c49b65816607604a70db7f6e0e2f2c3fa1fc3d0a251666e9f664b28cdc8e28bd4855a0fce4e497623047539177b28ee0156205009081327ce8149ea
-
Filesize
318B
MD5a261428b490a45438c0d55781a9c6e75
SHA1e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e
SHA2564288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44
SHA512304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40
-
Filesize
224KB
MD55c7fb0927db37372da25f270708103a2
SHA1120ed9279d85cbfa56e5b7779ffa7162074f7a29
SHA256be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
SHA512a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206
-
Filesize
201B
MD502b937ceef5da308c5689fcdb3fb12e9
SHA1fa5490ea513c1b0ee01038c18cb641a51f459507
SHA2565d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1
SHA512843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653
-
Filesize
628B
MD5527d7410defeaad7402f8a10e3c70382
SHA1ac9de5313a67c746760eecfbe0442247c8680a5a
SHA256e24f61a764a2522c04e7131b0eb76ccb3ee17a31aee5c067dd436cfd59bb93d5
SHA51201d5824c73f811808ad208dc1b8e00d8ab7cff74277c675fb3a30567cf7e1156bff8c598c364b5db500353d426dfd8010f0eb5aab1304656516aeb526511e1b5
-
Filesize
628B
MD5663e55df21852bc8870b86bc38e58262
SHA11c691bf030ecfce78a9476fbdef3afe61724e6a9
SHA256bf22e8e18db1638673f47591a13d18ee58d8c6019314bab5a90be82ae3dc9538
SHA5126a54be1fa549633a2fd888c559207437b8f6efda98bb18d491c8749f39e9754f1e680fa8e2d623777b5f665b2c04d19385c75ce4e61fb251db16018963a9a6f9
-
Filesize
42KB
MD5980b08bac152aff3f9b0136b616affa5
SHA12a9c9601ea038f790cc29379c79407356a3d25a3
SHA256402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9
SHA512100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496
-
Filesize
729B
MD5880e6a619106b3def7e1255f67cb8099
SHA18b3a90b2103a92d9facbfb1f64cb0841d97b4de7
SHA256c9e9dc06f500ae39bfeb4671233cc97bb6dab58d97bb94aba4a2e0e509418d35
SHA512c35ca30e0131ae4ee3429610ce4914a36b681d2c406f67816f725aa336969c2996347268cb3d19c22abaa4e2740ae86f4210b872610a38b4fa09ee80fcf36243
-
Filesize
68KB
MD55557ee73699322602d9ae8294e64ce10
SHA11759643cf8bfd0fb8447fd31c5b616397c27be96
SHA256a7dd727b4e0707026186fcab24ff922da50368e1a4825350bd9c4828c739a825
SHA51277740de21603fe5dbb0d9971e18ec438a9df7aaa5cea6bd6ef5410e0ab38a06ce77fbaeb8fc68e0177323e6f21d0cee9410e21b7e77e8d60cc17f7d93fdb3d5e
-
Filesize
236KB
MD5cf1416074cd7791ab80a18f9e7e219d9
SHA1276d2ec82c518d887a8a3608e51c56fa28716ded
SHA25678e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA5120bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5